Help Center/ MapReduce Service/ FAQs/ Component Configurations/ How Do I Update the Ranger Certificate in MRS 1.9.3?
Updated on 2024-08-16 GMT+08:00

How Do I Update the Ranger Certificate in MRS 1.9.3?

MRS 1.9.3 is used as an example. Replace it with the actual cluster version. After the certificate is updated, manually clear the alarm indicating that the certificate file is invalid or about to expire.

  • The validity period of the Ranger certificate is 10 years.
  • After the Ranger certificate expires, the Ranger web UI can still be accessed and functions properly. However, there will be a message indicating that the certificate is untrusted upon your access.
  • If Ranger is not installed in the cluster, log in to each master node and run the following command to rename the certificate file:

    mv /opt/Bigdata/MRS_1.9.3/install/MRS-Ranger-1.0.1/ranger/ranger-1.0.1-admin/ranger-admin-keystore.jks /opt/Bigdata/MRS_1.9.3/install/MRS-Ranger-1.0.1/ranger/ranger-1.0.1-admin/ranger-admin-keystore.jks_bak

  • If Ranger has been installed in the cluster, update the certificate as follows:
    1. Download MRS_1.9_Patch_UpdateRangerJks_All_20210203.tar.gz from the obs-patch bucket and upload it to the /tmp directory on the node where the active RangerAdmin instance of the cluster runs.

      On MRS Manager, choose Service > Ranger > Instance and obtain the IP address of the node where the active RangerAdmin instance runs.

    2. Log in to the node where the active RangerAdmin instance is located and run the following commands:

      cd /tmp

      chmod 700 MRS_1.9_Patch_UpdateRangerJks_All_20210203.tar.gz

      chown omm:wheel MRS_1.9_Patch_UpdateRangerJks_All_20210203.tar.gz

      su - omm

      cd /tmp

      tar -zxvf MRS_1.9_Patch_UpdateRangerJks_All_20210203.tar.gz

    3. Replace the certificate files.

      cd updateRangerJks

      sh updateRangerJks.sh ${IP address of the active Master node} ${IP address of the active RangerAdmin node} ${Certificate password}

      • This script will restart the controller process. During the restart process, the MRS Manager page may not be viewed.
      • Obtain the IP address of the active Master node from Hosts on MRS Manager.
      • To obtain the IP address of the active RangerAdmin node, choose Services > Ranger > Instances on MRS Manager.
      • ${Certificate password} is a user-defined password. Commands carrying authentication passwords pose security risks. Disable historical command recording before running such commands to prevent information leakage.
    4. Log in to the MRS console.
    5. Choose Active Clusters and click a cluster name to go to the cluster details page.
    6. Choose Components > Ranger > Service Configuration and modify the RangerAdmin configuration.
      1. Search for the policymgr_https_keystore_password and change its value to the certificate password entered in 3, that is, ${Certificate password}.

        You are advised to copy and paste the password. If the passwords are different, Ranger will fail to restart.

      2. Save the configuration and perform a rolling restart of RangerAdmin.
    7. Verify that you can log in to the RangerAdmin web UI.
      1. Choose Components > Ranger > Service Status. In Ranger Summary, click RangerAdmin corresponding to Ranger Web UI.
      2. On the Ranger web UI login page, the default username for MRS cluster 1.9.2 is admin and the password is admin@12345. The default username for MRS cluster 1.9.3 or later is admin and the password is ranger@A1!.

        After logging in to the Ranger Web UI for the first time, change the password and keep it secure.

    8. Log in to the node where the RangerAdmin instance is located and delete the temporary files.

      rm -rf /tmp/updateRangerJks

      rm -rf /tmp/updateRangerJks.tar.gz

      For a cluster with a custom topology, if the active master and RangerAdmin instances are not on the same node, log in to the active master node and delete temporary files.